apiserver: make InClusterConfig errs for delegated authn/z non-fatal

2025-07-23 11:50:44 +00:00 · 2018-09-05 09:12:19 +02:00 · 2018-09-05 09:12:19 +02:00 · 04e793e65a
commit 04e793e65a
parent 059fce63b7
2 changed files with 10 additions and 4 deletions
--- a/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/authentication.go
@ -364,9 +364,12 @@ func (s *DelegatingAuthenticationOptions) getClient() (kubernetes.Interface, err
 		clientConfig, err = loader.ClientConfig()
 	} else {
 		// without the remote kubeconfig file, try to use the in-cluster config.  Most addon API servers will
-		// use this path
+		// use this path. If it is optional, ignore errors.
 		clientConfig, err = rest.InClusterConfig()
-		if err == rest.ErrNotInCluster && s.RemoteKubeConfigFileOptional {
+		if err != nil && s.RemoteKubeConfigFileOptional {
 			if err != rest.ErrNotInCluster {
 				glog.Warningf("failed to read in-cluster kubeconfig for delegated authentication: %v", err)
 			}
 			return nil, nil
 		}
 	}
--- a/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/authorization.go
@ -151,9 +151,12 @@ func (s *DelegatingAuthorizationOptions) getClient() (kubernetes.Interface, erro
 		clientConfig, err = loader.ClientConfig()
 	} else {
 		// without the remote kubeconfig file, try to use the in-cluster config.  Most addon API servers will
-		// use this path
+		// use this path. If it is optional, ignore errors.
 		clientConfig, err = rest.InClusterConfig()
-		if err == rest.ErrNotInCluster && s.RemoteKubeConfigFileOptional {
+		if err != nil && s.RemoteKubeConfigFileOptional {
 			if err != rest.ErrNotInCluster {
 				glog.Warningf("failed to read in-cluster kubeconfig for delegated authorization: %v", err)
 			}
 			return nil, nil
 		}
 	}